## OVHcloud CIS Debian 10/11/12 Hardening Modular Debian 10/11/12 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org) recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure. https://github.com/ovh/debian-cis ### Quickstart ```bash git clone https://github.com/ovh/debian-cis.git cd debian-cis sudo cp debian/default /etc/default/cis-hardening sudo sed -i "s#CIS_LIB_DIR=.*#CIS_LIB_DIR='$(pwd)'/lib#" /etc/default/cis-hardening sudo sed -i "s#CIS_CHECKS_DIR=.*#CIS_CHECKS_DIR='$(pwd)'/bin/hardening#" /etc/default/cis-hardening sudo sed -i "s#CIS_CONF_DIR=.*#CIS_CONF_DIR='$(pwd)'/etc#" /etc/default/cis-hardening sudo sed -i "s#CIS_TMP_DIR=.*#CIS_TMP_DIR='$(pwd)'/tmp#" /etc/default/cis-hardening ``` ### Audit your system with all enabled and audit mode scripts ```bash ./bin/hardening.sh --audit ``` ### Audit your system with all SSH related scripts ```bash find ./bin/hardening/ -name "*ssh*" -exec {} \; ``` ### Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts ```bash ./bin/hardening.sh --apply ``` ### Other options Additionally, some options add more granularity: `--audit-all` can be used to force running all auditing scripts, including disabled ones. this will _not_ change the system. `--audit-all-enable-passed` can be used as a quick way to kickstart your configuration. It will run all scripts in audit mode. If a script passes, it will automatically be enabled for future runs. Do NOT use this option if you have already started to customize your configuration. `--sudo`: audit your system as a normal user, but allow sudo escalation to read specific root read-only files. You need to provide a sudoers file in /etc/sudoers.d/ with NOPASWD option, since checks are executed with `sudo -n` option, that will not prompt for a password. `--batch`: while performing system audit, this option sets LOGLEVEL to 'ok' and captures all output to print only one line once the check is done, formatted like : OK|KO OK|KO|WARN{subcheck results} (OK|KO|WARN{...}) `--only <check_number>`: run only the selected checks. `--set-hardening-level`: run all checks that are lower or equal to the selected level. Do NOT use this option if you have already started to customize your configuration. `--allow-service <service>`: use with --set-hardening-level. Modifies the policy to allow a certain kind of services on the machine, such as http, mail, etc. Can be specified multiple times to allow multiple services. Use --allow-service-list to get a list of supported services. `--set-log-level <level>`: This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug. Default value is : info `--create-config-files-only`: create the config files in etc/conf.d. Must be run as root, before running the audit with user secaudit, to have the rights setup well on the conf files. `--allow-unsupported-distribution`: must be specified manually in the command line to allow the run on non compatible version or distribution. If you want to mute the warning change the LOGLEVEL in /etc/hardening.cfg ## OpenSSH Server https://ubuntu.com/server/docs/openssh-server